The real questions are usually not
“how do I scan?” but “why should I trust this result?”

It is not a legal-grade claim of “absolutely safe” or “absolutely malicious”. It is a pre-install recommendation focused on block, review, or cautious allow, with evidence attached.

No. It only means there is not enough strong malicious evidence to block the install right now. High-capability skills should still be deployed with least privilege and occasional human review.

The common reasons are declared-versus-actual capability mismatch, hidden execution chains, suspicious egress, sensitive access, or dependencies that widen the risk surface.

Because trust decisions need to be reviewable, shareable, and disputable. Public reports let teams discuss the same evidence instead of relying on retellings. Starter and Pro subscribers can mark individual reports as private.

No. The system keeps analysis results and report metadata, not your original code files themselves.

Yes. Any system built on static evidence and semantic reasoning can produce false positives and false negatives, which is why the report exists to support judgment rather than replace it.

No. It is better understood as a pre-install triage layer that quickly tells you which skills should be blocked and which ones deserve deeper review.

PR gates, skill registry sync, approval flows, supply-chain reviews, and first-pass decisions inside internal security platforms.

Scores are useful for sorting and thresholds. Findings are what explain why the decision exists. If you only look at the score, you lose the decision context.

Bring the report link and your reasoning into review. We want the report to be arguable, not treated like an unquestionable black box.